<!DOCTYPE html>
<html lang="zh-CN">
<head>
  <meta charset="UTF-8"/>
<meta http-equiv="X-UA-Compatible" content="IE=edge, chrome=1" />
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1"/>
<meta name="browsermode" content="application">
<meta name="apple-touch-fullscreen" content="yes">
<meta name="apple-mobile-web-app-capable" content="yes">
<meta name="apple-mobile-web-app-title" content="Axojhf的博客">
<meta name="apple-mobile-web-app-status-bar-style" content="default">
<meta name="msapplication-navbutton-color" content="#666666">
<meta name= "format-detection" content="telephone=no" />





  <meta name="keywords" content="其他, nlvi" />


<link rel="apple-touch-startup-image" media="(device-width: 375px)" href="assets/apple-launch-1125x2436.png">
<link rel="apple-touch-startup-image" media="(orientation: landscape)" href="assets/apple-touch-startup-image-2048x1496.png">

<link rel="stylesheet" href="/blog/style/style.css">

<script>
  var nlviconfig = {
    title: "Axojhf的博客",
    author: "Axojhf",
    baseUrl: "/blog/",
    theme: {
      scheme: "banderole",
      lightbox: true,
      animate: true,
      search: true,
      friends: false,
      reward: false,
      pjax: false,
      lazy: false,
      toc: true
    }
  }
</script>




    
<link rel="stylesheet" href="/blog/script/lib/lightbox/css/lightbox.min.css">





    
<link rel="stylesheet" href="/blog/syuanpi/syuanpi.min.css">
















<style>
@font-face {
  font-family: "Allura";
  src: url('/blog/font/allura/allura.ttf');
}
</style>

  <title> Pwn环境的搭建和解答一些简单Pwn题的分享 · Axojhf的博客 </title>
<meta name="generator" content="Hexo 4.2.1"></head>
<body>
  <div class="container">
    <header class="header" id="header">
  <div class="header-wrapper">
    <div class="logo">
  <div class="logo-inner syuanpi tvIn" style="display:none;">
    <h1><a href="/blog/">Axojhf的博客</a></h1>
    
  </div>
</div>

    <nav class="main-nav">
  
  <ul class="main-nav-list syuanpi tvIn">
  
    <li class="menu-item">
      <a href="javascript:;" id="search-btn" aria-label="Search">
        <i class="iconfont icon-search"></i>
      </a>
    </li>
  
  
  
    
  
    <li class="menu-item">
      <a href="/blog/" id="article">
        <span class="base-name">
          
            ARTICLE
          
        </span>
      </a>
    </li>
  
  
    
  
    <li class="menu-item">
      <a href="/blog/archives" id="archives">
        <span class="base-name">
          
            ARCHIVES
          
        </span>
      </a>
    </li>
  
  
    
  
    <li class="menu-item">
      <a href="javascript:;" id="tags">
        <span class="base-name">
          
            TAGS
          
        </span>
      </a>
    </li>
  
  
    
  
    <li class="menu-item">
      <a href="/blog/about" id="about">
        <span class="base-name">
          
            ABOUT
          
        </span>
      </a>
    </li>
  
  
  </ul>
  
</nav>

  </div>
</header>
<div class="mobile-header" id="mobile-header">
  <div class="mobile-header-nav">
    <div class="mobile-header-item" id="mobile-left">
      <div class="header-menu-item">
        <div class="header-menu-line"></div>
      </div>
    </div>
    <h1 class="mobile-header-title">
      <a href="/">Axojhf的博客</a>
    </h1>
    <div class="mobile-header-item"></div>
  </div>
  <div class="mobile-header-body">
    <ul class="mobile-header-list">
      
        <li class="mobile-nav-item syuanpi fadeInRightShort back-0">
          <a href="/blog/" >
            
              ARTICLE
            
          </a>
        </li>
      
        <li class="mobile-nav-item syuanpi fadeInRightShort back-1">
          <a href="/blog/archives" >
            
              ARCHIVES
            
          </a>
        </li>
      
        <li class="mobile-nav-item syuanpi fadeInRightShort back-2">
          <a href="javascript:;" id="mobile-tags">
            
              TAGS
            
          </a>
        </li>
      
        <li class="mobile-nav-item syuanpi fadeInRightShort back-3">
          <a href="/blog/about" >
            
              ABOUT
            
          </a>
        </li>
      
    </ul>
  </div>
</div>



    <div class="container-inner" style="display:none;">
      <main class="main" id="main">
        <div class="main-wrapper">
          
    
  
  <article class="
  post
   is_post 
  ">
    <header class="post-header">
      <div class="post-time syuanpi fadeInRightShort back-1">
        <div class="post-time-wrapper">
          
          <time>2020-08-07</time>
          
        </div>
      </div>
      <h2 class="post-title syuanpi fadeInRightShort back-2">
        
          Pwn环境的搭建和解答一些简单Pwn题的分享
        
      </h2>
    </header>
    <div class="post-content syuanpi fadeInRightShort back-3">
      
        <p>本文专门是为某次分享会而写的，目的是分享一下我在搭建Pwn的本地解题环境上的经验，还有简单介绍一下一些比较简单的Pwn的入门题。</p>
<p>(博主还是菜鸟，有些知识可能理解不够透彻，有些表述可能不够严谨，欢迎大家指正，望大家多多包涵)</p>
<a id="more"></a>

<h1 id="Pwn是什么？"><a href="#Pwn是什么？" class="headerlink" title="Pwn是什么？"></a>Pwn是什么？</h1><blockquote>
<p>”Pwn“是一个黑客语法的俚语词，是指攻破设备或者系统，发音类似于”砰“。在CTF比赛里主要是指漏洞利用。Pwn的题型一般是拿到shell，获取flag。</p>
<p>摘录精简自《CTF特训营》（机械工业出版社）</p>
</blockquote>
<h1 id="搭建本地调试，解题环境"><a href="#搭建本地调试，解题环境" class="headerlink" title="搭建本地调试，解题环境"></a>搭建本地调试，解题环境</h1><p>首先需要有一个Linux的虚拟机，最好使用Ubuntu（很多Pwn题都是跑在Ubuntu上的，有些题目的解题需要对系统的glibc进行比较详细的分析，使用其他系统不利于解题，一般16.04和18.04都可以，我个人通常用16.04版的）</p>
<p>（以下软件除<strong>IDA Pro</strong>以外通常需要安装到Linux上）</p>
<ul>
<li><p><strong>IDA Pro</strong>：反汇编用的软件，有非常好用的”F5“反编译成C语言的功能（不一定准确，需要结合汇编代码看），一般用来做静态的分析。软件可以在吾爱破解的”爱盘“里找到<a href="https://down.52pojie.cn/Tools/Disassemblers/" target="_blank" rel="noopener">链接</a></p>
</li>
<li><p><strong>gdb</strong>：Linux下常用的调试软件，一般的Linux发行版都会有（这里推荐gdb的两个插件一个是<a href="https://github.com/pwndbg/pwndbg" target="_blank" rel="noopener">pwngdb</a>，和<a href="https://github.com/scwuaptx/Pwngdb" target="_blank" rel="noopener">Pwngdb</a>。<br>（这是两个插件，名字有点像，pwngdb很好用，可以同时显示寄存器，汇编代码，栈等等，Pwngdb是我在某个Writeup里看到的，它有一些命令可以更清晰的显示”堆“相关的东西）</p>
</li>
<li><p><strong>pwntools</strong>：用来写解题脚本的利器，解大部分CTF题都需要它。<br>安装方法：<code>sudo pip install pwntools</code>    （①需要先下载python，2.7版和3.x版应该都可以的，②使用root权限安装它可以使它的某些工具直接在bash里使用，比如<code>checksec</code>查看软件的保护信息。还有就是能在脚本中打开gdb调试你使用pwntools打开的程序）</p>
</li>
</ul>
<p>前面三个软件一般是解Pwn题必不可少的，这里我还再介绍几个比较好的辅助软件：</p>
<ul>
<li><strong>Ropgadget</strong>：可以获取用来构建rop链的gadget。<br>安装方法：<code>pip install ropgadget</code>。用法详见<a href="https://github.com/JonathanSalwan/ROPgadget" target="_blank" rel="noopener">https://github.com/JonathanSalwan/ROPgadget</a></li>
<li><strong>one_gadget</strong>：可以分析一个libc里的可以用来执行<code>execve(&#39;/bin/sh&#39;, NULL, NULL)</code>系统调用的部分，在某些限制比较大的题目中用处非常大。<br>安装方法：<code>sudo gem install one_gadget</code>（好像不是root权限下不能安装，gem是ruby语言的包管理器，需要先下载ruby语言相关软件，详见：<a href="https://github.com/david942j/one_gadget" target="_blank" rel="noopener">https://github.com/david942j/one_gadget</a>）</li>
<li><strong>seccomp-tools</strong>：用来查看程序seccomp（Secure Computing）信息，之前几次比赛都碰到了seccomp相关的题。<br>安装方法：<code>sudo gem install seccomp-tools</code>（注意：这个在Ubuntu16.04下不好安装，我现在用的Ubuntu16.04使用apt安装的ruby版本是2.3.1p112，而这个软件需要至少2.4版本，Ubuntu18.04可以正常安装，详见：<a href="https://github.com/david942j/seccomp-tools" target="_blank" rel="noopener">https://github.com/david942j/seccomp-tools</a>）</li>
<li><strong>LibcSearcher</strong>：可以通过泄露的某个libc函数的真实地址找出对应libc库，进而找出其他函数的地址。<br>安装方法：详见：<a href="https://github.com/lieanu/LibcSearcher" target="_blank" rel="noopener">https://github.com/lieanu/LibcSearcher</a></li>
</ul>
<p>在Linux写Pwn的解题脚本的软件我用过Pycharm的社区版和VS Code，我用VS Code的自带的控制台跑脚本调试Pwn题的程序有时候不太方便，Pycharm相对更好一点</p>
<h1 id="简单栈溢出的学习"><a href="#简单栈溢出的学习" class="headerlink" title="简单栈溢出的学习"></a>简单栈溢出的学习</h1><p>首先，我们应该要知道，一个程序的某个函数在运行的时候需要栈来保存有关该函数的信息，大致的结构如下图：</p>
<img src="函数栈相关.jpg" alt="函数栈相关" style="zoom: 50%;" />

<p>例题vuln0里有个函数<code>vulnfunc</code>可以直接打开一个shell，所以我们就需要想办法让程序的执行流导向<code>vulnfunc</code>的位置,而ebp下方就是函数返回的地址储存的地方。我们只需要用<code>vulnfunc</code>的地址把它覆盖了就行。</p>

      
    
    </div>
    
      <div class="post-tags syuanpi fadeInRightShort back-3">
      
        <a href="/blog/tags/%E5%85%B6%E4%BB%96/">其他</a>
      
      </div>
    
    
      

      
  <hr class="copy-line">
  <div class="post-copyright">
    <div class="copy-author">
      <span>作者 :</span>
      <span>Axojhf</span>
    </div>
    <div class="copy-url">
      <span>地址 :</span>
      <a href="http://xiaoaoaode.gitee.io/blog/2020/08/07/38a4c9bb/">http://xiaoaoaode.gitee.io/blog/2020/08/07/38a4c9bb/</a>
    </div>
    <div class="copy-origin">
      <span>来源 :</span>
      <a href="http://xiaoaoaode.gitee.io/blog">http://xiaoaoaode.gitee.io/blog</a>
    </div>
    <div class="copy-license">
      
      著作权归作者所有，转载请联系作者获得授权。
    </div>
  </div>

    
  </article>
  
    
  <nav class="article-page">
    
      <a href="/blog/2020/08/10/44355a63/" id="art-left" class="art-left">
        <span class="next-title">
          <i class="iconfont icon-left"></i>_IO_FILE结构与fread函数知识点小结
        </span>
      </a>
    
    
      <a href="/blog/2020/08/01/8e1ab4ab/" id="art-right" class="art-right">
        <span class="prev-title">
          Pwn题里有关seccomp和prctl函数的知识点小结<i class="iconfont icon-right"></i>
        </span>
      </a>
    
  </nav>


    
  <i id="com-switch" class="iconfont icon-down jumping-in long infinite" style="font-size:24px;display:block;text-align:center;transform:rotate(180deg);"></i>
  <div class="post-comments" id="post-comments" style="display: block;margin: auto 16px;">
    

    
    

    

  </div>



  
  
    
  
  <aside class="post-toc">
    <div class="title"><span>文章导航</span></div>
    <div class="toc-inner">
      <ol class="toc"><li class="toc-item toc-level-1"><a class="toc-link" href="#Pwn是什么？"><span class="toc-text">Pwn是什么？</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#搭建本地调试，解题环境"><span class="toc-text">搭建本地调试，解题环境</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#简单栈溢出的学习"><span class="toc-text">简单栈溢出的学习</span></a></li></ol>
    </div>
  </aside>



  


        </div>
      </main>
      <footer class="footer syuanpi fadeIn" id="footer">
  <hr>
  <div class="footer-wrapper">
    <div class="left">
      <div class="contact-icon">
  
  
</div>

    </div>
    <div class="right">
      <div class="copyright">
    <div class="info">
        <span>&copy;</span>
        <span>2020 ~ 2020</span>
        <span>❤</span>
        <span>Axojhf</span>
    </div>
    <div class="theme">
        <span>
            动力来源于
            <a href="http://hexo.io/" target="_blank" rel="noopener">Hexo </a>
        </span>
        <span>
            主题
            <a href="https://github.com/ColMugX/hexo-theme-Nlvi" target="_blank" rel="noopener"> Nlvi </a>
        </span>
    </div>
    
</div>

    </div>
  </div>
</footer>
    </div>
    <div class="tagcloud" id="tagcloud">
  <div class="tagcloud-taglist">
  
    <div class="tagcloud-tag">
      <button>Writeup</button>
    </div>
  
    <div class="tagcloud-tag">
      <button>其他</button>
    </div>
  
    <div class="tagcloud-tag">
      <button>知识点记录</button>
    </div>
  
  </div>
  
    <div class="tagcloud-postlist active">
      <h2>Writeup</h2>
      
        <div class="tagcloud-post">
          <a href="/blog/2020/07/27/dd14f23d/">
            <time class="tagcloud-posttime">2020 / 07 / 27</time>
            <span>BUUCTF-Pwn题-Writeup（1）</span>
          </a>
        </div>
      
        <div class="tagcloud-post">
          <a href="/blog/2020/07/28/cfa15dd3/">
            <time class="tagcloud-posttime">2020 / 07 / 28</time>
            <span>BUUCTF-Pwn题-Writeup（2）</span>
          </a>
        </div>
      
        <div class="tagcloud-post">
          <a href="/blog/2020/08/16/771d3ab6/">
            <time class="tagcloud-posttime">2020 / 08 / 16</time>
            <span>BUUCTF-Pwn题-Writeup（3）</span>
          </a>
        </div>
      
        <div class="tagcloud-post">
          <a href="/blog/2020/08/19/5276656a/">
            <time class="tagcloud-posttime">2020 / 08 / 19</time>
            <span>BUUCTF-Pwn题-Writeup（5）</span>
          </a>
        </div>
      
        <div class="tagcloud-post">
          <a href="/blog/2020/08/17/eaca020f/">
            <time class="tagcloud-posttime">2020 / 08 / 17</time>
            <span>BUUCTF-Pwn题-Writeup（4）</span>
          </a>
        </div>
      
        <div class="tagcloud-post">
          <a href="/blog/2020/09/21/f87fade1/">
            <time class="tagcloud-posttime">2020 / 09 / 21</time>
            <span>BUUCTF-Pwn题-Writeup（7）</span>
          </a>
        </div>
      
        <div class="tagcloud-post">
          <a href="/blog/2020/09/04/40c3ca84/">
            <time class="tagcloud-posttime">2020 / 09 / 04</time>
            <span>BUUCTF-Pwn题-Writeup（6）</span>
          </a>
        </div>
      
        <div class="tagcloud-post">
          <a href="/blog/2020/09/28/a01cbdb7/">
            <time class="tagcloud-posttime">2020 / 09 / 28</time>
            <span>BUUCTF-Pwn题-Writeup（8）</span>
          </a>
        </div>
      
        <div class="tagcloud-post">
          <a href="/blog/2020/08/31/2253bdbe/">
            <time class="tagcloud-posttime">2020 / 08 / 31</time>
            <span>DASCTF2020八月赛个人Writeup</span>
          </a>
        </div>
      
        <div class="tagcloud-post">
          <a href="/blog/2020/07/26/253f1adb/">
            <time class="tagcloud-posttime">2020 / 07 / 26</time>
            <span>DASCTF七月赛个人Writeup</span>
          </a>
        </div>
      
        <div class="tagcloud-post">
          <a href="/blog/2020/08/24/49582296/">
            <time class="tagcloud-posttime">2020 / 08 / 24</time>
            <span>CISCN2020初赛个人Writeup</span>
          </a>
        </div>
      
        <div class="tagcloud-post">
          <a href="/blog/2020/06/01/14185/">
            <time class="tagcloud-posttime">2020 / 06 / 01</time>
            <span>我写出来的招新题的Writeup</span>
          </a>
        </div>
      
        <div class="tagcloud-post">
          <a href="/blog/2020/06/17/45ae5a23/">
            <time class="tagcloud-posttime">2020 / 06 / 17</time>
            <span>攻防世界-“250”题Writeup</span>
          </a>
        </div>
      
        <div class="tagcloud-post">
          <a href="/blog/2020/06/09/7b438d60/">
            <time class="tagcloud-posttime">2020 / 06 / 09</time>
            <span>攻防世界-babyheap题Writeup</span>
          </a>
        </div>
      
        <div class="tagcloud-post">
          <a href="/blog/2020/06/17/47cfb24f/">
            <time class="tagcloud-posttime">2020 / 06 / 17</time>
            <span>攻防世界-“Recho”题Writeup</span>
          </a>
        </div>
      
        <div class="tagcloud-post">
          <a href="/blog/2020/07/12/e563c85c/">
            <time class="tagcloud-posttime">2020 / 07 / 12</time>
            <span>攻防世界-magic题Writeup</span>
          </a>
        </div>
      
        <div class="tagcloud-post">
          <a href="/blog/2020/10/07/9b619749/">
            <time class="tagcloud-posttime">2020 / 10 / 07</time>
            <span>攻防世界-nobug题Writeup</span>
          </a>
        </div>
      
        <div class="tagcloud-post">
          <a href="/blog/2020/06/02/471a08d2/">
            <time class="tagcloud-posttime">2020 / 06 / 02</time>
            <span>攻防世界--supermarket题Writeup</span>
          </a>
        </div>
      
        <div class="tagcloud-post">
          <a href="/blog/2020/10/04/77eb8480/">
            <time class="tagcloud-posttime">2020 / 10 / 04</time>
            <span>攻防世界-onemanarmy题Writeup</span>
          </a>
        </div>
      
        <div class="tagcloud-post">
          <a href="/blog/2020/06/02/a54507f8/">
            <time class="tagcloud-posttime">2020 / 06 / 02</time>
            <span>攻防世界——dice_game题Writeup</span>
          </a>
        </div>
      
        <div class="tagcloud-post">
          <a href="/blog/2020/06/10/928398a1/">
            <time class="tagcloud-posttime">2020 / 06 / 10</time>
            <span>攻防世界-"实时数据监测"题Writeup</span>
          </a>
        </div>
      
    </div>
  
    <div class="tagcloud-postlist ">
      <h2>其他</h2>
      
        <div class="tagcloud-post">
          <a href="/blog/2020/08/07/38a4c9bb/">
            <time class="tagcloud-posttime">2020 / 08 / 07</time>
            <span>Pwn环境的搭建和解答一些简单Pwn题的分享</span>
          </a>
        </div>
      
    </div>
  
    <div class="tagcloud-postlist ">
      <h2>知识点记录</h2>
      
        <div class="tagcloud-post">
          <a href="/blog/2020/08/10/44355a63/">
            <time class="tagcloud-posttime">2020 / 08 / 10</time>
            <span>_IO_FILE结构与fread函数知识点小结</span>
          </a>
        </div>
      
        <div class="tagcloud-post">
          <a href="/blog/2020/08/01/8e1ab4ab/">
            <time class="tagcloud-posttime">2020 / 08 / 01</time>
            <span>Pwn题里有关seccomp和prctl函数的知识点小结</span>
          </a>
        </div>
      
        <div class="tagcloud-post">
          <a href="/blog/2020/07/19/5cfa9d84/">
            <time class="tagcloud-posttime">2020 / 07 / 19</time>
            <span>正则表达式学习1</span>
          </a>
        </div>
      
    </div>
  
</div>

  </div>
  <div class="backtop syuanpi melt toTop" id="backtop">
    <i class="iconfont icon-up"></i>
    <span style="text-align:center;font-family:Georgia;"><span style="font-family:Georgia;" id="scrollpercent">1</span>%</span>
</div>

  <div class="search" id="search">
    <div class="input">
      <input type="text" id="search-input" placeholder="搜索一下？" autofocus>
    </div>
    <div id="search-result"></div>
  </div>



<script src="https://cdn.jsdelivr.net/npm/jquery@3.4.1/dist/jquery.min.js"></script>



  <script></script>
  <script src="/blog/script/lib/lightbox/js/lightbox.min.js" async></script>











  
<script src="/blog/script/scheme/banderole.js"></script>




<script src="/blog/script/bootstarp.js"></script>



<script>
if (nlviconfig.theme.toc) {
  setTimeout(function() {
    if (nlviconfig.theme.scheme === 'balance') {
      $("#header").addClass("show_toc");
    } else if (nlviconfig.theme.scheme === 'banderole') {
      $(".container-inner").addClass("has_toc");
      $(".post-toc .title").addClass("show");
      $(".toc-inner").addClass("show");
    }
  }, 1000);
}
</script>



</body>
</html>
